Hello,
I have a server that for some reason, out of the blue is now having a huge amount of its email being rejected, coming back with 550 5.7.1 NDR's or various derivatives thereof. This just started happening a couple days ago suddenly. This is happening to a large number of domains. At first I thought it was just email hosted by GoDaddy because several of them were hosted there. However, it is now apparent that the issue is much more widespread.
I have:
Checked DNSBL lists.
Scanned the Local PC's for Malware/spyware.
Verified that only the server can send SMTP traffic through the firewall.
Sent email address through an administrator account.
Sent emails that are only text based.
Sent emails that are HTML based.
Sent basic emails (nothing attached, just a test text body, no signature).
Sent email through OWA directly.
Had the recipients add the domain to a safe sender list in Outlook.
Verified SPF records.
Verified rDNS records.
For the fun of it changed the external IP address that the email flows from with no change.
I am running out of ideas to try. Any suggestions would be GREATLY appreciated.
This server is connected directly to the firewall, the firewall does not perform any filtering.
I am pasting an example NDR. What is really odd is that it looks like it passes all the spam checks and is given a SPF rating of -4, mentions that is is on a safe sender and then just gives up.
#< #5.7.1 smtp;550 5.7.1 Message rejected due to content restrictions> #SMTP#
Original message headers:
Received: from mail23-am1-R.bigfish.com ([161.7.8.25]) by DOAISD75213.mtdmz.ad
over TLS secured channel with Microsoft SMTPSVC(7.0.6002.18222); Fri, 21 Feb
2014 08:31:22 -0700
Received: from mail23-am1 (localhost [127.0.0.1])
by mail23-am1-R.bigfish.com (Postfix) with ESMTP id ADCFD1003A1
for <_________>; Fri, 21 Feb 2014 15:31:20 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:69.146.164.109;KIP:(null);UIP:(null);IPV:NLI;H:mail.bearpaw.org;RD:mail.bearpaw.org;EFVD:NLI
X-SpamScore: -4
X-BigFish: vps-4(zz1861Ic89bh103dKa40Ic857hde40hzz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1de098h8275bh1de097h186068hz2fh109h2a8h839h8e2h8e3hd25h1288h12a5h12bdh137ah13eah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h1b0ah1bceh224fh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h20f0h2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255ehbe9i34h1155h)
X-MS-Exchange-Organization-Force-TLS: 0
X-FFO-Routing-Override: mt.gov%161.7.8.28;
Received-SPF: pass (mail23-am1: domain of bearpaw.org designates 69.146.164.109 as permitted sender) client-ip=69.146.164.109; envelope-from=__________; helo=mail.bearpaw.org ;.bearpaw.org ;
X-MS-Exchange-Organization-Antispam-Report: OrigIP: 69.146.164.109;Service: EHS
Received: from mail23-am1 (localhost.localdomain [127.0.0.1]) by mail23-am1 (MessageSwitch) id 1392996678568717_17980; Fri, 21 Feb 2014 15:31:18 +0000 (UTC)
Received: from AM1EHSMHS006.bigfish.com (unknown [10.3.201.228])
by mail23-am1.bigfish.com (Postfix) with ESMTP id 7ADCB240079
for <_________>; Fri, 21 Feb 2014 15:31:18 +0000 (UTC)
Received: from mail.bearpaw.org (69.146.164.109) by AM1EHSMHS006.bigfish.com
(10.3.207.106) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 21 Feb
2014 15:31:15 +0000
Received: from SERVER.bpd.local ([fe80::50fe:d0bf:d57d:2f5d]) by
SERVER.bpd.local ([fe80::50fe:d0bf:d57d:2f5d%10]) with mapi; Fri, 21 Feb 2014
08:31:13 -0700
Content-Type: multipart/mixed;
boundary="_000_0D7E2AB4DAB13448A100F4A967F15C29010F798434DASERVERbpdlo_"
From:___________
To: _____________
Date: Fri, 21 Feb 2014 08:31:10 -0700
Subject: __________________________
Thread-Topic: _____________________________
Thread-Index: Ac8toIauLfTa3ulLRaCz4ClaFcUdMgArks5QAAS1bmAALg/IMA==
Message-ID: <0D7E2AB4DAB13448A100F4A967F15C29010F798434DA@SERVER.bpd.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: <0D7E2AB4DAB13448A100F4A967F15C29010F798434DA@SERVER.bpd.local>
acceptlanguage: en-US
MIME-Version: 1.0
X-MS-Exchange-Organization-OriginalArrivalTime: 21 Feb 2014 15:31:15.9707
(UTC)
X-MS-Exchange-Organization-OriginalClientIPAddress: 69.146.164.109
X-MS-Exchange-Organization-OriginalServerIPAddress: 10.3.207.106
X-MS-Exchange-Organization-AuthSource: AM1EHSMHS006.ehs.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Organization-ConnectorInfo: Dn%*$RO%0$FUIP%$LKIP%$KIPT%0$Id%0$Di%0$Tls%0$SF%0$PF%0$CF%0$FQDN%$TlsDn%$IpfH%IPV:NLI$EnfH%H:mail.bearpaw.org;RD:mail.bearpaw.org;EFVD:NLI$
X-MS-Exchange-Organization-Company-Id:
X-MS-Exchange-Organization-Attributed-Sender-Id:
X-MS-Exchange-Organization-OriginalSize: 283945
X-MS-Exchange-Organization-MessageScope: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-MessageLatencyInProgress: LSRV=AM1EHSMHS006.ehs.local:TOTAL=2|SMR=2;2014-02-21T15:31:18.435Z
Return-Path: _____________________
X-OriginalArrivalTime: 21 Feb 2014 15:31:22.0430 (UTC) FILETIME=[F98A1DE0:01CF2F19]
Thank you very much for any help that anyone can provide! I appreciate it greatly!
Ben
I have a server that for some reason, out of the blue is now having a huge amount of its email being rejected, coming back with 550 5.7.1 NDR's or various derivatives thereof. This just started happening a couple days ago suddenly. This is happening to a large number of domains. At first I thought it was just email hosted by GoDaddy because several of them were hosted there. However, it is now apparent that the issue is much more widespread.
I have:
Checked DNSBL lists.
Scanned the Local PC's for Malware/spyware.
Verified that only the server can send SMTP traffic through the firewall.
Sent email address through an administrator account.
Sent emails that are only text based.
Sent emails that are HTML based.
Sent basic emails (nothing attached, just a test text body, no signature).
Sent email through OWA directly.
Had the recipients add the domain to a safe sender list in Outlook.
Verified SPF records.
Verified rDNS records.
For the fun of it changed the external IP address that the email flows from with no change.
I am running out of ideas to try. Any suggestions would be GREATLY appreciated.
This server is connected directly to the firewall, the firewall does not perform any filtering.
I am pasting an example NDR. What is really odd is that it looks like it passes all the spam checks and is given a SPF rating of -4, mentions that is is on a safe sender and then just gives up.
#< #5.7.1 smtp;550 5.7.1 Message rejected due to content restrictions> #SMTP#
Original message headers:
Received: from mail23-am1-R.bigfish.com ([161.7.8.25]) by DOAISD75213.mtdmz.ad
over TLS secured channel with Microsoft SMTPSVC(7.0.6002.18222); Fri, 21 Feb
2014 08:31:22 -0700
Received: from mail23-am1 (localhost [127.0.0.1])
by mail23-am1-R.bigfish.com (Postfix) with ESMTP id ADCFD1003A1
for <_________>; Fri, 21 Feb 2014 15:31:20 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:69.146.164.109;KIP:(null);UIP:(null);IPV:NLI;H:mail.bearpaw.org;RD:mail.bearpaw.org;EFVD:NLI
X-SpamScore: -4
X-BigFish: vps-4(zz1861Ic89bh103dKa40Ic857hde40hzz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1de098h8275bh1de097h186068hz2fh109h2a8h839h8e2h8e3hd25h1288h12a5h12bdh137ah13eah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h1b0ah1bceh224fh1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h20f0h2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255ehbe9i34h1155h)
X-MS-Exchange-Organization-Force-TLS: 0
X-FFO-Routing-Override: mt.gov%161.7.8.28;
Received-SPF: pass (mail23-am1: domain of bearpaw.org designates 69.146.164.109 as permitted sender) client-ip=69.146.164.109; envelope-from=__________; helo=mail.bearpaw.org ;.bearpaw.org ;
X-MS-Exchange-Organization-Antispam-Report: OrigIP: 69.146.164.109;Service: EHS
Received: from mail23-am1 (localhost.localdomain [127.0.0.1]) by mail23-am1 (MessageSwitch) id 1392996678568717_17980; Fri, 21 Feb 2014 15:31:18 +0000 (UTC)
Received: from AM1EHSMHS006.bigfish.com (unknown [10.3.201.228])
by mail23-am1.bigfish.com (Postfix) with ESMTP id 7ADCB240079
for <_________>; Fri, 21 Feb 2014 15:31:18 +0000 (UTC)
Received: from mail.bearpaw.org (69.146.164.109) by AM1EHSMHS006.bigfish.com
(10.3.207.106) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 21 Feb
2014 15:31:15 +0000
Received: from SERVER.bpd.local ([fe80::50fe:d0bf:d57d:2f5d]) by
SERVER.bpd.local ([fe80::50fe:d0bf:d57d:2f5d%10]) with mapi; Fri, 21 Feb 2014
08:31:13 -0700
Content-Type: multipart/mixed;
boundary="_000_0D7E2AB4DAB13448A100F4A967F15C29010F798434DASERVERbpdlo_"
From:___________
To: _____________
Date: Fri, 21 Feb 2014 08:31:10 -0700
Subject: __________________________
Thread-Topic: _____________________________
Thread-Index: Ac8toIauLfTa3ulLRaCz4ClaFcUdMgArks5QAAS1bmAALg/IMA==
Message-ID: <0D7E2AB4DAB13448A100F4A967F15C29010F798434DA@SERVER.bpd.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: <0D7E2AB4DAB13448A100F4A967F15C29010F798434DA@SERVER.bpd.local>
acceptlanguage: en-US
MIME-Version: 1.0
X-MS-Exchange-Organization-OriginalArrivalTime: 21 Feb 2014 15:31:15.9707
(UTC)
X-MS-Exchange-Organization-OriginalClientIPAddress: 69.146.164.109
X-MS-Exchange-Organization-OriginalServerIPAddress: 10.3.207.106
X-MS-Exchange-Organization-AuthSource: AM1EHSMHS006.ehs.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Organization-ConnectorInfo: Dn%*$RO%0$FUIP%$LKIP%$KIPT%0$Id%0$Di%0$Tls%0$SF%0$PF%0$CF%0$FQDN%$TlsDn%$IpfH%IPV:NLI$EnfH%H:mail.bearpaw.org;RD:mail.bearpaw.org;EFVD:NLI$
X-MS-Exchange-Organization-Company-Id:
X-MS-Exchange-Organization-Attributed-Sender-Id:
X-MS-Exchange-Organization-OriginalSize: 283945
X-MS-Exchange-Organization-MessageScope: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-MessageLatencyInProgress: LSRV=AM1EHSMHS006.ehs.local:TOTAL=2|SMR=2;2014-02-21T15:31:18.435Z
Return-Path: _____________________
X-OriginalArrivalTime: 21 Feb 2014 15:31:22.0430 (UTC) FILETIME=[F98A1DE0:01CF2F19]
Thank you very much for any help that anyone can provide! I appreciate it greatly!
Ben